uakfdotb
commented
9 years ago I think this can only be supported if users provide an e-mail address, unless we want security questions. So we ask for username and e-mail address, if both match then we send them password reset email with link to form and random token, tokens expire after twelve hours.
Users should be able to reset password somehow, maybe?